Attention: All the exercises are run in the machines named H3
and Router in each pod. In order to login to the machines, please ask
TA to help you login to the machines with root account.
1. Get familar with NetPoke
NetPoke is a tool to replay tcpdump file to a network.
You will find 4 tcpdump files in your home directory
(LLS_DDOS_?.0_dmz.dump LLS_DDOS_?.0_inside.dump), you can
send out the packets in any of the dump files by typing in:
./netpoke -d eth1 filename
Here 'filename' is the name of dump files in the directory /usr/NetPoke/.
If you want to see when each packet is sent, you can use the
"-T" option:
./netpoke -d eth1 -T filename
or if you want to send the packets faster than the actural
speed, you can use "-s" option together with the number of times
you would like. For example, 3 times faster is:
./netpoke -d eth1 -s 3 filename
Above are the most frequently used options in netpoke.
What you need to do in the first lab session, is to read the manual
of netpoke (man netpoke), and try the commands above on the machine which has
NetPoke installed. For each dump file, stop the netpoke after 5
minutes and read the snort alert log on the other machine.
It's possible that you will meet problem sending out packets when
using the -s option, don't worry about that.
2. Get familar with Snort
Snort is a free IDS tool. What you need to do is to get familar with
the basic options of snort.
a) Sniffer Mode
./snort -v view tcp/ip packet headers
./snort -vd view detailed packet info
./snort -vde view very detailed packet info
b) Packet Logger
-l can log the packets to a directory
-h specifies that logging relative to the home network, we don't need
this option in our particular enviroment.
First create a directory named "log" in the /usr directory then:
./snort -dev -l ./log
This will generate a tcpdump file.
to log a binary file, use -b option after the directory name.
./snort -l ./log -b
c) NIDS mode
Use the -c option to apply the rules file.
./snort -dev -l ./log -c snort.conf
Here file 'snort.conf' is a configuration file for snort in the directory
/usr/rules/. Make sure you input the right path for snort.conf and right network address.
You can use "-A fast" option for a simple format of alert log.
d) Analyze tcpdump file
Use the -r option to read a binary tcpdump file and use -c to apply rules.
./snort -r filename.dump -c snort.conf -l ./log
It will be your second lab session's job to analyze all the 4 DARPA dump files.